I finally got round to reading the Christmas edition of PC Plus this evening and was pleasantly surprised to see that someone had written in about a recent article of mine: 10 mistakes every programmer makes. It’s going to be next year before I republish it here in this hallowed blog, but you can read it over at TechRadar.com right now.
Anyway, I wrote it, it was published and Cecil Wallis sent an email to PC Plus saying:
Your article on mistakes every programmer makes interested me greatly because you haven’t — as far as I remember — discussed programming techniques previously. First, a minor quibble: if I walked away from sites that “promise to email you your original password”, I would never be able to buy anything online at all. Maybe there should be a distinction between convenience passwords and valuable passwords.
I found Julian Bucknall’s article about programmers’ mistakes fascinating. The part you’re referring to discussed storing sensitive data in plain text. I think we can both agree that it would be a poor show if a company stored a database of its customers’ logon and passwords in unencrypted form. That was the thrust of Julian’s argument. I agree with Julian though — if a business sends out plain text passwords via email, it gives a bad impression of its internal security [policies] and attitudes. Better firms will suggest creating a new password, or possibly email out pre-agreed clues and reminders hinting at your old access code.
My bank unsurprisingly, doesn’t mess about. If I forget my password (which I do often), I have to answer a lots of security questions, then it posts a new code to my home address.
It’s also worth remembering that even if a hacker gets your password and logon details, they’ll most likely need your credit card information before they can order anything online. Most shops require your card identifier number (the three- or four-digit code on the back) before they’ll process your order.
You can further protect yourself by registering only credit card details with online shops. The Consumer Credit Act (1974) makes the card company liable for losses through fraud if you’ve acted sensibly. Register a debit card online and criminals will be able to take your cash straight from your account.
All that said, Julian’s point stands in my opinion. If a company emails out plain text passwords, move on. There are lots of online businesses out there, many of which take security very seriously.
Of course, what happened in between Alex writing his reply and now was that someone well and truly hacked Gawker Media, and, even though their passwords were encrypted, they were soon cracked. (Gawker used DES, which is “easily” amenable to a brute force attack, so the passwords were equivalent to being stored as plain text.) The issue is not that, boom, your or my password to Gawker was then in the hands of the bad guys (hey, hacker, write a comment for me would you?) but that a remarkable number of people use the same passwords across many sites. Sure, Amazon may be ultra secure, but if I use the same password (my email address as user ID is easy to determine) for Bacon Cooks Online which doesn’t give a damn about security, then the bad guys have access to my Amazon identity (and from there might start buying stuff, expensive electronics stuff that’s easily sellable).
So by all means, have two passwords (don’t-give-a-damn and secure) in your life but I’d be scared nevertheless. My banking and PayPal passwords are different and I change them regularly. I buy things from Amazon regularly and that has a different password too. My eBay password is different from my PayPal password, and so on, so forth.
As Alex says, I’m bloody glad that my bank plays really hard-nosed when I forget a password; I wouldn’t have it any other way. But then again I bought and use a password database program and don’t have to remember any passwords at all. All my passwords are different across every site and for every function. I wouldn’t be able to order stuff online if I didn’t have access to my database.
Anyway I stand by my thesis: if a website posts you your original password when you report to them that you’ve forgotten it then be very very careful.
Thompson Twins - Who Can Stop the Rain
(from Into the Gap)